From: Wolfgang Hotwagner <sec@feedyourhead.at>
Date: Wed, 13 Dec 2017 20:53:34 +0000 (+0000)
Subject: (Remote)Code-Execution while loading yaml-file
X-Git-Tag: 1.0.0b1~7
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=76270e73128ca1299b4e33e7e2a74ac3d963a97a;p=thirdparty%2Fsuricata-update.git

(Remote)Code-Execution while loading yaml-file

The list of possible sources for suricata-update is downloaded from "https://www.openinfosecfoundation.org/rules/index.yaml" per default. Suricata-Update uses the insecure yaml.load()-function. Code will be executed if the yaml-file contains lines like:

hello: !!python/object/apply:os.system ['ls -l > /tmp/output']

The vulnerable function can be triggered by "suricata-update list-sources". The locally stored index.yaml will be loaded in this function and the malicious code gets executed.

This commit fixes Bug #2359
---

diff --git a/suricata/update/config.py b/suricata/update/config.py
index dc912e4..3697040 100644
--- a/suricata/update/config.py
+++ b/suricata/update/config.py
@@ -133,13 +133,13 @@ def init(args):
     if args.config:
         logger.info("Loading %s", args.config)
         with open(args.config, "rb") as fileobj:
-            config = yaml.load(fileobj)
+            config = yaml.safe_load(fileobj)
             if config:
                 _config.update(config)
     elif os.path.exists(DEFAULT_UPDATE_YAML_PATH):
         logger.info("Loading %s", DEFAULT_UPDATE_YAML_PATH)
         with open(DEFAULT_UPDATE_YAML_PATH, "rb") as fileobj:
-            config = yaml.load(fileobj)
+            config = yaml.safe_load(fileobj)
             if config:
                 _config.update(config)
 
diff --git a/suricata/update/sources.py b/suricata/update/sources.py
index 083edf7..ac64ce1 100644
--- a/suricata/update/sources.py
+++ b/suricata/update/sources.py
@@ -96,7 +96,7 @@ class Index:
         self.reload()
 
     def reload(self):
-        index = yaml.load(open(self.filename, "rb"))
+        index = yaml.safe_load(open(self.filename, "rb"))
         self.index = index
 
     def resolve_url(self, name, params={}):
@@ -128,7 +128,7 @@ def get_enabled_sources():
         for filename in filenames:
             if filename.endswith(".yaml"):
                 path = os.path.join(dirpath, filename)
-                source = yaml.load(open(path, "rb"))
+                source = yaml.safe_load(open(path, "rb"))
                 sources[source["source"]] = source
 
                 if "params" in source: